syzbot

 sign-in | mailing list | source | docs
🐞 Open [142] 🐞 Fixed [16] 🐞 Invalid [163] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: using __this_cpu_add() in preemptible code in __vmalloc_node_range (2)

Status: auto-closed as invalid on 2020/03/19 02:15
Reported-by: syzbot+23910014b3ffc7b5f427@syzkaller.appspotmail.com
First crash: 1619d, last: 1619d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 BUG: using __this_cpu_add() in preemptible code in __vmalloc_node_range 14 1761d 1838d 0/2 auto-closed as invalid on 2019/10/29 01:24

Sample crash report:
CPU: 0 PID: 8124 Comm: syz-executor.4 Not tainted 4.4.174+ #4
 0000000000000000 a2bccaad4f9cd9f2 ffff8801cefe79f0 ffffffff81aad1a1
 1ffff10039dfcf41 ffff8801cfe94740 00000000024000c2[  236.095808] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket
BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor.2/8137
caller is __this_cpu_preempt_check+0x1d/0x30 lib/smp_processor_id.c:62
 0000000000000000
 ffffffff82895080 ffff8801cefe7b00 ffffffff8148c0cb ffffffff00000001
Call Trace:
 [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff8148c0cb>] warn_alloc_failed.cold+0x78/0x99 mm/page_alloc.c:2757
 [<ffffffff8145fb65>] __vmalloc_node_range mm/vmalloc.c:1693 [inline]
 [<ffffffff8145fb65>] __vmalloc_node_range+0x365/0x650 mm/vmalloc.c:1654
 [<ffffffff8146031c>] __vmalloc_node mm/vmalloc.c:1716 [inline]
 [<ffffffff8146031c>] __vmalloc_node_flags mm/vmalloc.c:1730 [inline]
 [<ffffffff8146031c>] vmalloc+0x5c/0x70 mm/vmalloc.c:1745
 [<ffffffff81979df9>] sel_write_load+0x119/0xf90 security/selinux/selinuxfs.c:527
 [<ffffffff81496916>] __vfs_write+0x116/0x3d0 fs/read_write.c:491
 [<ffffffff81498612>] vfs_write+0x182/0x4e0 fs/read_write.c:540
 [<ffffffff8149ac4c>] SYSC_write fs/read_write.c:587 [inline]
 [<ffffffff8149ac4c>] SyS_write+0xdc/0x1c0 fs/read_write.c:579
 [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
CPU: 1 PID: 8137 Comm: syz-executor.2 Not tainted 4.4.174+ #4
 0000000000000000 667c117cfa87a307 ffff8800b26577c8 ffffffff81aad1a1
 ffff8800baa3af80 0000000000000001 ffffffff82a861e0 ffffffff8292c040
 0000000000000001 ffff8800b2657808 ffffffff81b0ad83 ffff8801d0051180
Call Trace:
 [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81b0ad83>] check_preemption_disabled+0x1d3/0x200 lib/smp_processor_id.c:46
 [<ffffffff81b0aded>] __this_cpu_preempt_check+0x1d/0x30 lib/smp_processor_id.c:62
 [<ffffffff8240fcf5>] tcp_try_coalesce net/ipv4/tcp_input.c:4293 [inline]
 [<ffffffff8240fcf5>] tcp_try_coalesce+0x245/0x510 net/ipv4/tcp_input.c:4275
 [<ffffffff824100e7>] tcp_queue_rcv+0x127/0x6f0 net/ipv4/tcp_input.c:4539
 [<ffffffff8242494e>] tcp_send_rcvq+0x3de/0x4a0 net/ipv4/tcp_input.c:4585
 [<ffffffff823fd062>] tcp_sendmsg+0x2332/0x2ab0 net/ipv4/tcp.c:1134
 [<ffffffff824a8b42>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
 [<ffffffff821d838e>] sock_sendmsg_nosec net/socket.c:638 [inline]
 [<ffffffff821d838e>] sock_sendmsg+0xbe/0x110 net/socket.c:648
 [<ffffffff821d8615>] sock_write_iter+0x235/0x3d0 net/socket.c:847
 [<ffffffff81496ae8>] new_sync_write fs/read_write.c:480 [inline]
 [<ffffffff81496ae8>] __vfs_write+0x2e8/0x3d0 fs/read_write.c:493
 [<ffffffff81498612>] vfs_write+0x182/0x4e0 fs/read_write.c:540
 [<ffffffff8149ac4c>] SYSC_write fs/read_write.c:587 [inline]
 [<ffffffff8149ac4c>] SyS_write+0xdc/0x1c0 fs/read_write.c:579
 [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Mem-Info:
active_anon:156525 inactive_anon:13050 isolated_anon:0
 active_file:7060 inactive_file:18194 isolated_file:0
 unevictable:0 dirty:166 writeback:0 unstable:0
 slab_reclaimable:5745 slab_unreclaimable:61442
 mapped:59428 shmem:13424 pagetables:3336 bounce:0
 free:1315686 free_pcp:602 free_cma:0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket
DMA32 free:2398884kB min:4696kB low:5868kB high:7044kB active_anon:290348kB inactive_anon:23900kB active_file:13060kB inactive_file:32604kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:3145324kB managed:3021976kB mlocked:0kB dirty:148kB writeback:0kB mapped:109840kB shmem:24876kB slab_reclaimable:10796kB slab_unreclaimable:112028kB kernel_stack:3296kB pagetables:6692kB unstable:0kB bounce:0kB free_pcp:1160kB local_pcp:624kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 3504 3504
Normal free:2864204kB min:5580kB low:6972kB high:8368kB active_anon:335752kB inactive_anon:28300kB active_file:15180kB inactive_file:40172kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:4718592kB managed:3588764kB mlocked:0kB dirty:516kB writeback:0kB mapped:127872kB shmem:28820kB slab_reclaimable:12184kB slab_unreclaimable:133600kB kernel_stack:4704kB pagetables:6504kB unstable:0kB bounce:0kB free_pcp:1164kB local_pcp:572kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
lowmem_reserve[]: 0 0 0
DMA32: 279*4kB (UME) 77*8kB (UME) 28*16kB (UME) 21*32kB (UME) 44*64kB (UME) 28*128kB (UM) 9*256kB (UME) 1*512kB (E) 1*1024kB (M) 1*2048kB (M) 582*4096kB (UM) = 2399012kB
Normal: 187*4kB (UME) 66*8kB (UME) 373*16kB (UME) 82*32kB (UE) 46*64kB (UE) 19*128kB (UM) 9*256kB (UE) 4*512kB (UM) 2*1024kB (UE) 2*2048kB (ME) 693*4096kB (UM) = 2864268kB
38680 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
1965979 pages RAM
0 pages HighMem/MovableOnly
313294 pages reserved
binder: release 8167:8187 transaction 18 out, still active
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8167:8187 ioctl 40046207 0 returned -16
binder_alloc: 8167: binder_alloc_buf, no vma
binder: 8167:8175 transaction failed 29189/-3, size 0-0 line 3137
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 8167:8175 transaction 18 in, still active
binder: send failed reply for transaction 18, target dead
audit: type=1401 audit(1574216050.669:44): op=security_bounded_transition seresult=denied oldcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 newcontext=unconfined_u:system_r:mount_t:s0-s0:c0.c1023
nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
binder: 8267:8269 unknown command 570450700
binder: 8267:8269 ioctl c0306201 20000200 returned -22
binder: release 8267:8269 transaction 21 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: BINDER_SET_CONTEXT_MGR already set
binder: 8267:8280 ioctl 40046207 0 returned -16
binder: send failed reply for transaction 21, target dead
binder: 8267:8280 unknown command 570450700
binder: 8267:8280 ioctl c0306201 20000200 returned -22
capability: warning: `syz-executor.0' uses deprecated v2 capabilities in a way that may be insecure

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/20 02:14 https://android.googlesource.com/kernel/common android-4.4 62872f952d6b 5bc70212 .config console log report ci-android-44-kasan-gce
* Struck through repros no longer work on HEAD.